VMware Horizon Client (PCoIP & Blast) Connection Workflow

Since I published the Horizon 7 Network Ports diagram with the latest release of Horizon 7, I’ve been frequently asked about the connection flow between the Horizon Client and the virtual desktop. VMware Horizon supports RDP, PCoIP and now Blast Extreme. I’ll start with PCoIP and then we’ll look at Blast Extreme. I’d also like to reference this excellent article by Mark Benson, Load Balancing with VMware Access Point.

The connection flow of the Horizon Client is mostly the same with Horizon 7, Horizon Air or Horizon DaaS. There may be differences in external load-balancing, Security Server or Access Point, and external URL configuration, but for this post I’ll focus on the Horizon Client itself and the aforementioned protocols.

A colleague asked me a very good question which I’d also like to address. How does Access Point know which VM to connect to?

Access Point doesn’t need to know which ESXi host is running the VM. When the entitled desktops are returned to the client(see 1b below) it also receives the external URL of the Access Point appliance, this is where the Horizon Client > Access Point connection is established on HTTPS (TCP 443). This could be a VIP on the load-balancer, or an external facing IP for each of the Access Point appliances, depending on the configuration (see Method 3 of Mark’s article).

When the user launches the chosen desktop pool, Access Point will communicate on HTTPS (TCP 443) to receive the desktop IP from the Connection server. The role of the PCoIP Gateway on the Access Point appliance is to then forward the PCoIP connection to the IP address of the Horizon Agent.

Note: In the past, Security Server used JMS, IPsec and AJP13, but Access Point doesn’t use these protocols (JMS is still used on the Connection Servers). If you refer to my Horizon 7 Network Ports diagram, you’ll see I’ve put these in a dotted line to show this.

Tunneled Connections (PCoIP)

1a. The Horizon Client sends authentication credentials using XML-API over HTTPS to the PCoIP external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).

1b. HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.

Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.

2. The user selects a desktop or application, and the connection is initiated on TCP 4172 to Access Point / Security Server. This is the PCoIP session handshake.

3. A bi-directional PCoIP connection is then established on UDP 4172 for the session data between the Horizon Client and the pcoipExternalUrl for Access Point / Security Server. The PCoIP session is forwarded between Access Point / Security Server, to the brokered virtual desktop (Horizon Agent).

Note: pcoipExternalUrl is used for Access Point. When Security Servers are used in a Horizon solution, the PCoIP External URL configured on the paired Connection server will be used. Access Point just rocks :)

Tunneled Connections (Blast Extreme)

Blast Extreme is an enhanced remote session experience introduced with Horizon for Linux desktops, Horizon 7 and Horizon DaaS. In this case the connection flow from the Horizon Client differs to PCoIP.

1a. As before, the Horizon Client sends authentication credentials using XML-API over HTTPS to the external URL on the Access Point appliance (or Security Server). This is typically via a load-balancer VIP (Virtual IP).

1b. HTTPS Authentication data is passed-through from Access Point to the Tenant Appliance (Horizon DaaS). In the case of Security Server, it will use AJP13-forwarded traffic, which is IPsec protected, from the Security Server to a paired Connection Server. Any entitled desktop pool(s) are returned back to client.

Note: If there are multiple Access Point appliances, which is often the case, a load-balancer VIP (Virtual IP address) will be used to load balance Access Point appliances. Security Servers are slightly different, in that each Security Server is paired with a Connection Server. No such pairing exists for Access Point.

2. The user selects a desktop or application, and a session handshake occurs over HTTPS (TCP 443) to Access Point / Security Server.

3. A secure WebSocket is established (TCP 443) for the session data between the Horizon Client and the Access Point / Security Server.

4. The Blast Secure Gateway service (Access Point or Security Server) will attempt to establish a UDP WebSocket connection on 443. This is preferred, but if this fails due to a (E.g. firewall blocking it) then the initial WebSocket TCP 443 connection will be used.

Client Drive Redirection (CDR), Multimedia Redirection (MMR)

Since I’m describing tunneled connections (via Access Point or Security Server), both CDR and MMR are encapsulated as HTTPS (443) from the Horizon Client to Access Point / Security Server. The HTTPS Secure Tunnel service (see the Horizon 7 Network Ports diagram) connects to the Horizon Agent on TCP 9427 for MMR and CDR traffic.

However, with Blast Extreme it is possible to configure CDR and MMR to use a TCP side-channel which uses TCP 9427. To do this you need to change the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware TSDR\tcpSidechannel

I installed Horizon Agent 7.0.2 and checked the registry you mentioned in CDR & MMR section.
I found “\HLM\Software\VMware, Inc.\VMware TSDR\sideChannelType” but could not find a key named “tcpSidechannel”.

When I want to change the behavior of CDR, should I change the value of “sideChannelType”? Or do I need to add “tcpSidechannel” key?

I am very new to Horizon View and am not really well-versed with the workings/configurations of the Connection Server yet.

I have an environment with a Load balancer and 2 Connection Servers behind it. The Load Balancer has a VIP/URL and is responsible to load balance the traffic across both Connection Servers.

In my scenario, what would be the “Ext. URL” settings for both my Connection Servers be? Would it be the VIP/URL of the LB OR the PCOIP/Blast IP addresses (if tunneling is a requirement)? For my setup, I would assume that the PCOIP/Blast Gateway addresses are the IP addresses of my Connection Servers since I did not setup any Security Servers.

What other configuration should I be aware of? Should I be thinking of configuring a Security Server?

Hey there,Ray,
I have a question about horizon view security server html access on a chrome browser
Recently I Installed and configured a security server which has an external FQDN client address
And it works correctly with Firefox and MS Edge.
I really appreciate your help.
Thanks

Great blogpost, it helps me a lot in my documentation work so thanks a lot for that!

Was wondering though, how do RDP connection flows look like in this setting?

Another thing I’m not quite following in your post is thel section about CDR and MMR. Do I understand it correctly that the connection is initiated on HTTPS(443) from the Horizon Client to the AP, and then switched to TCP(9427) before being forwarded to the Horizon Agent, whilst the TCP Sidechannel for Blast Extreme is on TCP(9427) all the way from the client to the agent?